Techniques
Sample rules
Splunk Command and Scripting Interpreter Risky SPL MLTK
- source: splunk
- technicques:
- T1059
Description
This detection utilizes machine learning model named “risky_command_abuse” trained from “Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline”. It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0)
Detection logic
| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN ("*
| runshellscript *", "*
| collect *","*
| delete *", "*
| fit *", "*
| outputcsv *", "*
| outputlookup *", "*
| run *", "*
| script *", "*
| sendalert *", "*
| sendemail *", "*
| tscolle*")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h
| apply risky_command_abuse
| fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time)
| rename IsOutlier(run_time) as isOutlier, _time as timestamp
| where isOutlier>0.5
| `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`